2016-01-20 Linux kernel vulnerability (CVE-2016-0728)

CVE-2016-0728 is caused by a reference leak in the keyrings facility and it affects any Linux Kernel v3.8 and higher.

The keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel. Each process can create a keyring for the current session using keyctl(KEYCTL_JOIN_SESSION_KEYRING, name) and can choose to either assign a name to the keyring or not by passing NULL. The keyring object can be shared between processes by referencing the same keyring name.

Even though the bug itself can directly cause a memory leak, it has far more serious consequences. The outline of the steps that to be executed by the exploit code is as follows:

Hold a (legitimate) reference to a key object

Overflow the same object’s usage

Get the keyring object freed

Allocate a different kernel object from user-space, with a user-controlled content, over the same memory previously used by the freed keyring object